Microsoft and Google Clash Over Exposed Windows Security Hole

Readers, we have a heavyweight grapple on our hands. Microsoft isn’t best pleased with Google, after the company’s Threat Analysis Group publicly revealed a major vulnerability in Windows before Microsoft managed to patch it.

Google discovered the flaw, which involves a file called Win32k.sys and is described as “a local privilege escalation in the Windows kernel that can be used as a security sandbox escape,” on October 21st and privately informed Microsoft about it. At the time, it was already being exploited by cybervillains.

However, the company proceeded to reveal it to the world yesterday, while Microsoft was still working on a fix.

“After seven days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” reads Google’s Halloween blog post. “The vulnerability is particularly serious because we know it is being actively exploited.”

Unsurprisingly, the move has pissed Microsoft right off, and the firm’s unleashed utter hell on its great rival by issuing a carefully worded statement to VentureBeat:

We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.

The only thing missing from that was “yo mama”. Okay, not quite. Always nice to see a bit of heavyweight beef though. [BBC, VentureBeat]